I have written a new tool called SubFinder (provisional name subject to change).
It does exactly as the name suggests. It will find Subdomains on any given host. It will do this via a few methods, first it will look in a couple of obvious places and then it will bruteforce the rest.
It will be released in the next couple of days.
I wanted to test it so I ran it against Symantec.com
I got over 200 subdomains found. (not all could be browsed, but loads were)
From the domain list I thought i would check some of them over for XSS issues. The reason that you will find more issues is because firstly these sub domains are usually used to host mini sites, or sub sites. When/If there is a code review then these can be missed.
Also SubDomains are more often than not coded by outsourced suppliers so even if Symantec had great processes in place (which they don’t) , there is a chance that the outsourced suppliers do not.
(2) Symantec Connect Search Feature XSS (IE Only?)
(3) https://et.symantec.com XSS (Fixed 17th November 2010?)
(4) http://maillist.entsupport.symantec.com XSS
(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to
and Bingo XSS (is it being stored? making it a sotred XSS
I don’t think so but not 100% sure) (Fixed 17th November 2010?)
(6) http://www.symantec.com/ XSS (IE browsers only?) (Fixed 17th November 2010?)
(7) open redirect to XSS – http://www.messagelabs.co.uk/ XSS – Seems to only work in Firefox?, and not in IE? (Fixed 17th November 2010?)
(8) http://www.symantec.com/ Connect Forward XSS IE only? (Fixed 17th November 2010?)
(9) https://symantecevents XSS
Site development on the above seems to have outsourced to
I’m guessing all of their sites for symantec would be easy targets. (Fixed 17th November 2010?)
(12) https://careers.symantec.com/ XSS (may need to visit page twice as the
first time sets the cookie)
(17) Ouch Denial Of Service (DOS) via Bad Param Injection =
http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise =
which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url =
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.
(19) Every Symantec customer email address can be grabbed = http://bit.ly/91fZrT just change the id. you could start at 1 and work your way up. This is very easy to automate. looks like over 16 million potential email addresses?.